The user's password is displayed in plain text.

[Danilovt]

The situation occurs when Teampass is configured with Active Directory and multi-factor authentication. ### Steps to reproduce 1. Open browser's developer tool. 2. Enter a valid Active Directory account on login screen. 3. Enter any password. 4. Leave the identification field blank or enter a wrong one. 5. Click log in button ### Expected behaviour An LDAP error is displayed and password should not be identifiable. ### Actual behaviour An LDAP error is displayed, but password is also shown in plain text in console.  ### Server configuration **Operating system:** Alpine Linux v3.12 with docker compose **Web server:** nginx 1.25.3 **Database:** mysql-server 5.7 **PHP version:** 7.4.9 **Teampass version:** 3.0.10 **Teampass configuration file:** 'max_latest_items' => '10', 'enable_favourites' => '1', 'show_last_items' => '1', 'enable_pf_feature' => '0', 'log_connections' => '0', 'log_accessed' => '1', 'time_format' => 'H:i:s', 'date_format' => 'd/m/Y', 'duplicate_folder' => '1', 'item_duplicate_in_same_folder' => '0', 'duplicate_item' => '1', 'number_of_used_pw' => '3', 'manager_edit' => '1', 'cpassman_dir' => '/var/www/html', 'cpassman_url' => 'https://xxx', 'favicon' => 'https://xxx/favicon.ico', 'path_to_upload_folder' => '/var/www/html/upload', 'url_to_upload_folder' => 'https://xxx/upload', 'path_to_files_folder' => '/var/www/html/files', 'url_to_files_folder' => 'https://xxx/files', 'activate_expiration' => '0', 'pw_life_duration' => '0', 'maintenance_mode' => '0', 'enable_sts' => '0', 'encryptClientServer' => '1', 'cpassman_version' => '3.0.0.21', 'ldap_mode' => '1', 'ldap_type' => 'ActiveDirectory', 'ldap_suffix' => '@xxx', 'ldap_domain_dn' => 'OU=xxx', 'ldap_domain_controler' => 'xxx', 'ldap_user_attribute' => 'samaccountname', 'ldap_ssl' => '0', 'ldap_tls' => '0', 'ldap_search_base' => '0', 'ldap_port' => '389', 'richtext' => '0', 'allow_print' => '1', 'roles_allowed_to_print' => '["["["["["1","2"]"]"]"]"]', 'show_description' => '1', 'anyone_can_modify' => '0', 'anyone_can_modify_bydefault' => '0', 'nb_bad_authentication' => '0', 'utf8_enabled' => '1', 'restricted_to' => '0', 'restricted_to_roles' => '0', 'enable_send_email_on_user_login' => '0', 'enable_user_can_create_folders' => '0', 'insert_manual_entry_item_history' => '0', 'enable_kb' => '0', 'enable_email_notification_on_item_shown' => '0', 'enable_email_notification_on_user_pw_change' => '0', 'custom_logo' => 'https://xxx', 'custom_login_text' => 'Cofre', 'default_language' => 'english', 'send_stats' => '0', 'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;', 'send_stats_time' => '1614542739', 'get_tp_info' => '1', 'send_mail_on_user_login' => '0', 'nb_items_by_query' => 'auto', 'enable_delete_after_consultation' => '0', 'enable_personal_saltkey_cookie' => '0', 'personal_saltkey_cookie_duration' => '31', 'email_smtp_server' => 'xxx', 'email_smtp_auth' => '', 'email_auth_username' => '', 'email_auth_pwd' => '', 'email_port' => '25', 'email_security' => '', 'email_server_url' => '', 'email_from' => 'nao-responder@xxx', 'email_from_name' => 'Cofre', 'pwd_maximum_length' => '60', 'google_authentication' => '1', 'delay_item_edition' => '0', 'allow_import' => '1', 'proxy_ip' => '', 'proxy_port' => '', 'upload_maxfilesize' => '10mb', 'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx', 'upload_imagesext' => 'jpg,jpeg,gif,png', 'upload_pkgext' => '7z,rar,tar,zip', 'upload_otherext' => 'sql,xml,yml,yaml', 'upload_imageresize_options' => '1', 'upload_imageresize_width' => '800', 'upload_imageresize_height' => '600', 'upload_imageresize_quality' => '90', 'use_md5_password_as_salt' => '0', 'ga_website_name' => 'Cofre', 'api' => '1', 'subfolder_rights_as_parent' => '1', 'show_only_accessible_folders' => '0', 'enable_suggestion' => '0', 'otv_expiration_period' => '7', 'default_session_expiration_time' => '60', 'duo' => '0', 'enable_server_password_change' => '0', 'ldap_object_class' => '0', 'bck_script_path' => '/var/www/html/backups', 'bck_script_filename' => '', 'syslog_enable' => '0', 'syslog_host' => 'localhost', 'syslog_port' => '514', 'manager_move_item' => '0', 'create_item_without_password' => '0', 'otv_is_enabled' => '0', 'agses_authentication_enabled' => '0', 'item_extra_fields' => '1', 'saltkey_ante_2127' => 'none', 'migration_to_2127' => 'done', 'files_with_defuse' => 'done', 'timezone' => 'America/Sao_Paulo', 'enable_attachment_encryption' => '1', 'personal_saltkey_security_level' => '50', 'ldap_new_user_is_administrated_by' => '0', 'disable_show_forgot_pwd_link' => '1', 'offline_key_level' => '0', 'enable_http_request_login' => '0', 'ldap_and_local_authentication' => '1', 'secure_display_image' => '1', 'upload_zero_byte_file' => '0', 'upload_all_extensions_file' => '0', 'bck_script_passkey' => 'xxx', 'admin_2fa_required' => '0', 'can_create_root_folder' => '1', 'ga_reset_by_user' => '1', 'bck_script_key' => '', 'password_overview_delay' => '4', 'roles_allowed_to_print_select' => '', 'clipboard_life_duration' => '30', 'mfa_for_roles' => '', 'tree_counters' => '0', 'settings_offline_mode' => '1', 'settings_tree_counters' => '0', 'copy_to_clipboard_small_icons' => '1', 'enable_massive_move_delete' => '0', 'email_debug_level' => '0', 'onthefly-backup-key' => '', 'onthefly-restore-key' => '', 'ldap_user_dn_attribute' => 'distinguishedname', 'ldap_dn_additional_user_dn' => '', 'ldap_user_object_filter' => '', 'ldap_bdn' => 'xxx', 'ldap_hosts' => 'xxx', 'ldap_password' => 'XXX', 'ldap_username' => 'XXX', 'api_token_duration' => '60', 'enable_tasks_manager' => '1', 'task_maximum_run_time' => '300', 'maximum_number_of_items_to_treat' => '300', 'tasks_manager_refreshing_period' => '100', 'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER', 'enable_tasks_log' => '0', 'enable_ad_users_with_ad_groups' => '1', 'enable_ad_user_auto_creation' => '0', 'ldap_group_object_filter' => '(objectClass=group)', 'ldap_guid_attibute' => 'objectguid', 'sending_emails_job_frequency' => '2', 'user_keys_job_frequency' => '1', 'items_statistics_job_frequency' => '5', 'reload_cache_table_task' => '', 'rebuild_config_file' => '', 'purge_temporary_files_task' => '', 'clean_orphan_objects_task' => '', 'users_personal_folder_task' => '', 'maximum_session_expiration_time' => '120', 'items_ops_job_frequency' => '1', 'upgrade_timestamp' => '1702474708', 'teampass_version' => '3.0.10', 'duo_ikey' => 'admin', **Updated from an older Teampass or fresh install:**Updated from older version PLEASE attach to this issue the file `/includes/config/tp.config.php`. ### Client configuration **Browser:**Google chrome **Operating system:**Windows 10 ### Logs #### Web server error log ``` teampass-nginx-1 | nginx.1 | xxx xxx - - [30/Jan/2024:13:17:56 +0000] "POST /sources/identify.php HTTP/2.0" 200 985 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "172.20.0.2:80" teampass-teampass-1 | 172.20.0.3 - - [30/Jan/2024:13:17:56 +0000] "POST /sources/identify.php HTTP/1.1" 200 997 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" teampass-nginx-1 | nginx.1 | xxx xxx - - [30/Jan/2024:13:17:57 +0000] "POST /sources/identify.php HTTP/2.0" 200 1000 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "172.20.0.2:80" teampass-teampass-1 | 172.20.0.3 - - [30/Jan/2024:13:17:57 +0000] "POST /sources/identify.php HTTP/1.1" 200 1012 "https://xxx/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" ``` #### Log from the web-browser developer console (CTRL + SHIFT + i) ``` { "GACode": "", "login": "xxx", "pw": "PASSWORD", "duree_session": "60", "screenHeight": 588.547, "randomstring": "WHL2V9mbLK", "TimezoneOffset": 10800, "client": "", "user_2fa_selection": "google" } ```

[kcbieng]

So what you're saying is that you're entering the correct username and password, but not the OTP for MFA and the auth failure error is returning the live password in the console.

[kcbieng]

Looks like that's coming from line 654 of /includes/core/login.js.php

It should be noted that it does this with every login, not just failed logins, you just lose it in the console if you don't have your log set to be preserved across pages.

You can set debugJavascript to false on line 34 of /includes/core/login.js.php to stop this behavior on your installation temporarily.

              // Other values
                mfaData['login'] = ($('#login').val());
                mfaData['pw'] = ($('#pw').val());
                mfaData['duree_session'] = ($('#session_duration').val());
                mfaData['screenHeight'] = $('body').innerHeight();
                mfaData['randomstring'] = randomstring;
                mfaData['TimezoneOffset'] = TimezoneOffset;
                mfaData['client'] = client_info;
                mfaData['user_2fa_selection'] = mfaMethod;

                if (isDuo === true && $("#duo_code").val() !== "" && $("#duo_state").val() !== "") {
                    mfaData['duo_code'] = sanitizeString($("#duo_code").val());
                    mfaData['duo_state'] = sanitizeString($("#duo_state").val());
                    mfaData['user_2fa_selection'] = 'duo';
                } else if(mfaMethod === 'duo' && isDuo !== true) {
                    mfaData['duo_status'] = 'start_duo_auth';
                }

                if (debugJavascript === true) {
                    console.log('Data submitted to identifyUser:');
                    console.log(mfaData);

[kcbieng]

@nilsteampassnet would it be possible to use a global setting for debug and turn it off and on in the settings menu? Then it could default to off for new installations and take care of issues like this?